Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Key name in AuthToken authorization #4080

Closed
jpocentek opened this issue Apr 28, 2016 · 3 comments
Closed

Key name in AuthToken authorization #4080

jpocentek opened this issue Apr 28, 2016 · 3 comments

Comments

@jpocentek
Copy link

The default key for TokenAuthorization is "Token". The most often used key is "Bearer". Not long ago I tried to change the authentication token name for our REST application. I found class TokenAuthentication on line 142 in authentication.py. It defines method "authenticate_header" which returns "Token" so I thought that it is possible to override this method and return "Bearer". No, it's not possible. I had to override entire class just to change token name. Am I missed something? This actually should be in settings.py file. I don't know if there is other way to define token name. If there is, please, give me link to docs. If it's not possible, I could easily create plugin that takes token name from settings file. Method "authenticate_header" seems to be not used at all. This is my modification:

class CustomTokenAuthentication(TokenAuthentication):
""" Modify default authorization header to much more common 'Bearer'.
"""
header_key = b'bearer'

def authenticate(self, request):
    auth = get_authorization_header(request).split()

    if not auth or auth[0].lower() != self.header_key:
        return None

    if len(auth) == 1:
        msg = _('Invalid token header. No credentials provided.')
        raise exceptions.AuthenticationFailed(msg)
    elif len(auth) > 2:
        msg = _(
            'Invalid token header. Token string should not contain spaces.'
        )
        raise exceptions.AuthenticationFailed(msg)

    try:
        token = auth[1].decode()
    except UnicodeError:
        msg = _(
            'Invalid token header. Token string should not contain',
            'invalid characters.'
        )
        raise exceptions.AuthenticationFailed(msg)

    return self.authenticate_credentials(token)

def authenticate_header(self, request):
    return "Bearer"
@tomchristie
Copy link
Member

The authenticate header determines if a 401 response should be used and if so what value the WWW-Authenticate header should have.

If you want to change the behavior of the token authentication you'll just need to do so explicitly.

@hroncok
Copy link
Contributor

hroncok commented May 3, 2016
edited
Loading

I've just come across the same problem.

@tomchristie would you accept a pull request that would set keyword class variable to 'Token' in TokenAuthorization, and use it inside it's methods (instead of hardcoding it, as it is done now), so we can then do:

class BearerAuthentication(authentication.TokenAuthentication):
    '''
    Simple token based authentication using utvsapitoken.

    Clients should authenticate by passing the token key in the 'Authorization'
    HTTP header, prepended with the string 'Bearer '.  For example:

        Authorization: Bearer 956e252a-513c-48c5-92dd-bfddc364e812
    '''
    keyword = 'Bearer'

?

@hroncok hroncok mentioned this issue May 3, 2016
Merged
@hroncok
Copy link
Contributor

hroncok commented May 3, 2016

Crafted in #4097

hroncok added a commit to hroncok/django-rest-framework that referenced this issue May 3, 2016
@hroncok
TokenAuthentication: Allow custom keyword in the header
5d91ae3 
This allows subclassing TokenAuthentication and setting custom keyword,
thus allowing the Authorization header to be for example:

    Bearer 956e252a-513c-48c5-92dd-bfddc364e812

It doesn't change the bahaviour of TokenAuthentication itself,
it simply allows to reuse the logic of TokenAuthentication without
the need of copy pasting the class and changing one hardcoded string.

Related: encode#4080
hroncok added a commit to hroncok/django-rest-framework that referenced this issue May 3, 2016
@hroncok
TokenAuthentication: Allow custom keyword in the header
628bbd5 
This allows subclassing TokenAuthentication and setting custom keyword,
thus allowing the Authorization header to be for example:

    Bearer 956e252a-513c-48c5-92dd-bfddc364e812

It doesn't change the behavior of TokenAuthentication itself,
it simply allows to reuse the logic of TokenAuthentication without
the need of copy pasting the class and changing one hardcoded string.

Related: encode#4080
hroncok added a commit to hroncok/django-rest-framework that referenced this issue May 4, 2016
@hroncok
TokenAuthentication: Allow custom keyword in the header
b8da2bf 
This allows subclassing TokenAuthentication and setting custom keyword,
thus allowing the Authorization header to be for example:

    Bearer 956e252a-513c-48c5-92dd-bfddc364e812

It doesn't change the behavior of TokenAuthentication itself,
it simply allows to reuse the logic of TokenAuthentication without
the need of copy pasting the class and changing one hardcoded string.

Related: encode#4080
tomchristie pushed a commit that referenced this issue May 4, 2016
@hroncok @tomchristie
TokenAuthentication: Allow custom keyword in the header (#4097)
ffdac0d 
This allows subclassing TokenAuthentication and setting custom keyword,
thus allowing the Authorization header to be for example:

    Bearer 956e252a-513c-48c5-92dd-bfddc364e812

It doesn't change the behavior of TokenAuthentication itself,
it simply allows to reuse the logic of TokenAuthentication without
the need of copy pasting the class and changing one hardcoded string.

Related: #4080
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@tomchristie @hroncok @jpocentek